Digital Identity in Healthcare: What's Coming Down the Pike. Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS

Similar documents
National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Identity: The Key to the Future of Healthcare

An Introduction to Global Patient Identifiers, Inc. December, 2014

Trusted Identities for Electronic Health Records A National Strategy

Online Identity Attribute Exchange Initiatives

2009 HIMSS Security Survey

The Growing Threat of Medical Identity Fraud: A Call to Action. Presented by: Bill Barr, Development Coordinator, MIFA

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Online Identity Attribute Exchange Initiatives

Strategic Healthcare IT Advanced Research. SHARPS Project and ILHIE Prototype June 26, 2013

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP

An NSTIC-Compliant Identity Ecosystem For Preventing Consumer Identity Theft

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015

Healthcare Information Security Today

Bellevue University Cybersecurity Programs & Courses

How TraitWare TM Can Secure and Simplify the Healthcare Industry

Developing Secure Software in the Age of Advanced Persistent Threats

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

White Paper. Data Breach Mitigation in the Healthcare Industry

Cybersecurity. Are you prepared?

The Identity Ecosystem Strategy

Big Data, Big Risk, Big Rewards. Hussein Syed

Mobile Computing in Healthcare: Privacy and Security Considerations and Available Resources

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Usher Mobile Identity for Higher Education Institutions. Rebecca Parks Associate Product Manager, MicroStrategy

Dynamic Security for the Hybrid Cloud

Multi-Factor Authentication of Online Transactions

WHITEPAPER. Complying with the Red Flag Rules and FACT Act Address Discrepancy Rules

NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Presidential Summit Reveals Cybersecurity Concerns, Trends

How to get from laws to technical requirements

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

PCI Security Standards Council

Mission Assurance and Security Services

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

THE WHITE HOUSE Office of the Press Secretary

FCCX Briefing. Information Security and Privacy Advisory Board. June 13, 2014

The Convergence of IT Security and Physical Access Control

2010 Data Breach Investigations Report

Booz Allen Cloud Solutions. Our Capability-Based Approach

The High Price of Medical Identity Theft and Fraud

Healthcare Utilizing Trusted Identity Credentials

Security and Privacy

Six Challenges for the Privacy and Security of Health Information. Carl A. Gunter University of Illinois

Cybersecurity Issues for Community Banks

The Convergence of IT Security and Physical Access Control

Healthcare Cybersecurity Themes for And What to do About Them Mark Coderre, OpenSky National Practice Director GRC & Security Services

Deborah L. Lafky, Ph.D, CISSP Office of the National Coordinator for Health IT, Office of the Secretary, HHS

TOP 3. Reasons to Give Insiders a Unified Identity

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Identity & Privacy Protection

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Cybercrime and Regulatory Priorities for Cybersecurity

Intelligent Security Design, Development and Acquisition

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

Mobile Computing in Healthcare: Privacy and Security Considerations and Available Resources

Adopting a Cybersecurity Framework for Governance and Risk Management

Testimony of. Kevin Stine. Leader, Security Outreach and Integration Group. Computer Security Division. Information Technology Laboratory

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Strengthen security with intelligent identity and access management

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security

Wearable Technology Evolution & Security: Grant Brown - Security Strategist Symantec

SECURING IDENTITIES IN CONSUMER PORTALS

Testimony of. Cita M. Furlani Director

Cybersecurity: Protecting Your Business. March 11, 2015

Understanding the Security & Privacy Rules associated with the HITECH and HIPAA Acts

Integrity We are above reproach in everything we do.

Cybersecurity Enhancement Account. FY 2017 President s Budget

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Spotting ID Theft Red Flags A Guide for FACTA Compliance. An IDology, Inc. Whitepaper

The Impact of NSTIC on the Internal Revenue Service. Economic Case Study: Planning Report 13-2

Compliance Risk Management IT Governance Assurance

11/27/2015. Cyber Risk as a Component of Business Risk: Communicating with the C-Suite. Conflict of interest. Learning Objectives

Good Afternoon! Since Yesterday we have been talking about threats and how to deal with those threats in order to protect ourselves from individuals

ALERT LOGIC FOR HIPAA COMPLIANCE

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

DEA's New Proposed Regulations For E-Prescribing

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Critical Issues in Fraud Analytics

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS

Cloud Security and Managing Use Risks

National Cyber Security Policy -2013

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

A very incomplete history of medical data breaches

The High Price of Medical Identity Theft and Fraud. Ann Patterson Medical Identity Fraud Alliance

Department of Homeland Security

Modern two-factor authentication: Easy. Affordable. Secure.

Leveraging Privileged Identity Governance to Improve Security Posture

Transcription:

Digital Identity in Healthcare: What's Coming Down the Pike Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS

Discussion What is the Problem? What is Digital Identity and How Does it Relate to Healthcare? What is NSTIC? The NSTIC CSDII / Inova Healthcare Pilot The Future for Healthcare

What is the Problem? Patient and Provider Data Access - Individuals often need to manage numerous accounts with user names and passwords These types of Access Controls are not sufficient. In fact, A recent study shows that 76% of network intrusions exploited weak or stolen credentials 1 Identity proofing and verification is essential to ensure proper delivery of care and protect privacy 1 Source: 2013 Data Breach Investigations Report, Verizon and US Secret Service

What is a Medical Record? A Medical record is a permanent record that contains identifiable medical information, and is intended for use in decision-making relevant to a patient s health coverage, diagnosis and treatment. Often includes a patient s name, Social Security number, address, insurance number or other identifier that links to an individual. A medical record can be in paper or electronic form and can be maintained by payers, providers and/or business associates.

The Value of Medical Identity Criminals - Use of Medical Identities to commit fraud (for example, to improperly obtain medical goods, services, or pharmaceuticals) or to bill payers (private, Medicare/Medicaid) for such that are never delivered or received. This is more profitable than drugs, prostitution, and other forms of identity theft. Ordinary people Medical identities can easily be shared to obtain medical goods, services or drugs. Thus, the value of such identities can be 20 to 50 times the value of financial records alone.

Types of Medical Identity Theft Medical identity theft refers to the misuse of another individual s PII, such as name, date of birth, SSN, or insurance policy number to obtain or bill for medical services or medical goods. 1 Robin Hood Fraud When an individual knowingly gives a friend or family member information to fraudulently receive healthcare services or goods. 1 - HHS Office of the National Coordinator, Medical Identity Theft Environmental Scan, October 15, 2008,

Risks to Individual Patient Financial Reputation/Credit Report Patient Safety Coverage /Access

Recent Press USA Today Sept. 13, 2014 There is an epidemic of medical identity theft. Mentions: Hacks of Healthcare.gov Healthcare.gov navigators not required to have background checks Community Health System hack by Chinese actors Fortune Aug. 31, 2014 Medical identity theft: How the health care industry is failing us. Healthcare industry is failing to: Detect Mitigate Share information Create sources of threat and incident data

Some Numbers A minimum of 3% of our healthcare spending is fraudulent and abusive 1 ; that translates to over $114 billion* annually to our healthcare system 1 My Math. Medical ID theft is about 3 percent of healthcare fraud overall that translates to $3.4 billion as the cost of medical ID theft to the system as a whole Kaiser Report - In early 2014, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013. (This is stated poorly actual ITRC report states that this is percentage of breaches.) 1 Source NHCAA (National Healthcare Anti-Fraud Association) * - I ve seen estimates of $80 Bilion to $230 Billion

Unique Challenge for Healthcare: Patient Data/Record Matching Patient Data Matching is the task of identifying, matching, and/or merging records that belong to the same patient that are currently store in multiple applications or databases. Problem Statement: Today there exists no safe and effective way to identify and accurately link patients with their clinical data.

Patient Data Matching - Challenges A 2008 Rand Corporation Study 1 estimated that 8%-10% of EMRs contain errors related to matching patients with their data. A 2009 HIMSS White Paper 2 documented nine factors that contribute to/influence current error rates. In the near term, consistent patient data-matching strategy is absolutely essential to obtaining the full benefits of health information technology, controlling costs, and ensuring patient safety. A 2012 HIMSS White Paper provides Measures and Key Attributes for

Work on Patient Data Matching Near Term Industry improve current matching algorithms HIMSS address future matching across HIEs/data exchange HIMSS Innovator-in-Residence Project with HHS and industry Long Term Migration to use of Multi-factor, Multi-Level-of-Assurance Digital Identity

HIMSS Innovator-In-Residence Project IIR is Embedded at HHS Office of CTO, and ONC Project Work on Data Quality Joint industry project (with WEDI, MGMA, others) on a Virtual Clipboard Test Open Algorithms against Gold Standard Data Set Validate using both Real and Synthetic Data Sets Set benchmark and reduce variables Create permanent test bed

Future Use of Digital Identity Migration to use of Multi-factor, Multi-Level-of-Assurance Digital Identity Work within the strategy being Developed by the National Strategy for Trusted Identities in Cyberspace (NSTIC) Project

What is Digital Identity? http://en.wikipedia.org/wiki/identity_management

What is Digital Identity? http://en.wikipedia.org/wiki/identity_management

Identity Management is Evolving - Gartner Predictions 1 : 1. Every user is a consumer. 2. A competitive marketplace for identity services is evolving. 3. We will see the death of "least privilege. 4. Legacy pricing models will radically change. 5. Context-based attributes will be the dominant mechanism for access control 6. Identity analytics and intelligence (IAI) tools will deliver direct business value 7. The Internet of Things will redefine the concept of "identity management" to include what people own, share, and use. 1 Fontana, J., Seven ways identity, access management will change in the enterprise, http://www.zdnet.com/seven-ways-identity-access-management-will-change-in-the-enterprise-7000023382/

Identity Management in Healthcare Creation and management of individual digital identity for both providers and patients (and computing assets) For Providers (and all who require access to data), used for Authentication, Access Control and Audit For patients, used for the above, but this will also help with: Identifying the same individual across health care organizations using the attributes /identifier(s) specified as part of the identity

What is NSTIC? Called for in President s Cyberspace Policy Review (May 2009): a cybersecurity focused identity management vision and strategy that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation. National Strategy for Trusted Identities in Cyberspace NSTIC calls for a National Identity Ecosystem Guiding Principles Privacy-Enhancing and Voluntary Secure and Resilient Interoperable Cost-Effective and Easy To Use Calls for: an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities. 1 Source: Jeremy Grant, Senior Executive Advisor, Identity Management, National Strategy for Trusted Identities in Cyberspace (NSTIC), National Institute of Standards and Technology (NIST), HIMSS Annual Conference 2014, Session #78

NSTIC Healthcare Pilot 1 Cloud Based Strong Credentials + Privacy Barrier 1 Source: Dr. Marshall Ruffin, Chief Technology Officer, Inova Healthcare HIMSS Annual Conference 2014 Session #78

What We Learned from the Healthcare Pilot Use of Digital Credentials provides the following benefits 1 : Increased Security Enhanced Privacy Reduced Cost Ability to leverage multiple credential types (incl. 3 rd party credentials) Consistent authentication mechanism Decreased administrative and maintenance overhead Positive perception to patients and providers 1 Source: Dr. Marshall Ruffin, Chief Technology Officer, Inova Healthcare HIMSS Annual Conference 2014 Session #78

What Does All of This Mean? In the immediate future, we will be able to: Create and Use a Multi-factor, Multi-level of Assurance Digital Identity for a patient (consumer) Link Patient Records using better quality data elements and with better assurance In the near future, we will migrate to use of Trustmarks or Componentized Trust : Patient Identity Communication of Trust Across Trust Frameworks: Hospital to Hospital HIE to HIE, etc.

How will this help with Medical Identity Theft? Strong Authentication Prevents inappropriate access Including Identity Proofing - Patient authentication includes ensuring that patients receiving services are the individuals they claim to be. Technology Solutions Digital Identity, deployed by/using: Digital Identity services Biometrics Smart chips (embedded in cell phones) Smart cards 1 - Booz Allen Hamilton, Medical Identity Final Report, prepared for U.S. Department of Health and Human Services, January 15, 2009, Page 16

QUESTIONS?

Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS @LGallagherHIMSS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information